[dovecot] Re: Some experiences

David E. Storey dave at tamos.net
Mon Jan 6 02:37:29 EET 2003


On Sun, 2003-01-05 at 19:00, Amelia A.Lewis wrote:
> Umm, forgive me, but as I understand DIGEST-MD5, it does store hashed. 
> Are you thinking of CRAM-MD5?  As far as I know, that requires
> plain-text storage on the server, and I agree with your criticisms.  I
> happen to like DIGEST-MD5 because it looks like someone finally came
> along and got the SASL auth mechanism right.
> 
> But perhaps I'm the one that's mistaken.

=) no, you're right in that it's stored hashed. I was thinking of
CRAM-MD5 specifically, but after reviewing section 3.9 of RFC2831, I'm
still thinking that DIGEST-MD5 isn't really for me.

What's hashed is the username + ":" + realm + ":" + password. This is
used to compute a part of the protocol. (referenced as A1) To quote the
RFC:

   There are two important security consequences of this. First the
   password file must be protected as if it contained plaintext
   passwords, because for the purpose of accessing documents in its
   realm, it effectively does.

   A second consequence of this is that the realm string should be
   unique among all realms that any single user is likely to use. In
   particular a realm string should include the name of the host doing
   the authentication.

To me, this means a few things: 1. You can no longer simply change a user's
name. 2) you can no longer simply change a host's name if you follow the RFC
and finally 3) you can't efficiently use digest-md5 in a distributed
authentication environment. (just doesn't scale well)

Since I deal with system-level accounts across multiple systems with 
occasional username changes (such as when someone marries) and system
migrations where users and mail get shifted over to systems with different
names or domains, then digest-md5 looks more and more like the wrong
tools for the job.

Your requirements may be different, however and digest-md5 may be the
perfect solution. =)

d!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://dovecot.org/pipermail/dovecot/attachments/20030105/b30ecfa6/attachment-0003.bin>


More information about the dovecot mailing list